If you use Debian-based Linux distributions to update software, you probably rely on the advanced package tool (APT). APT comes with a library of features that let you interact with the software packages in your repository. Unfortunately, you might encounter errors that prevent you from authenticating packages being downloaded and installed. If you get a message that says “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))", you should consider its risks and opt for a more secure approach to your package and repository authentication.
This blog covers the following topics,
- What does "apt-key add" do?
- Why has "apt-key add" been deprecated?
- Apt-key support ends with Debian 11 and Ubuntu 22.04
- How Packagecloud can help you avoid "apt-key add deprecated" warnings
Packagecloud offers a solution that keeps your machine secure without giving you an “apt-key is deprecated” error. Experience the benefits of Packagecloud today by starting a free trial that gives you access to all of the platform’s features.
What Does “apt-key add” Do?
The “apt-key” command lets you manage OpenPGP keys that confirm or deny access to a repository. OpenPGP relies on encryption to authenticate packages. If you have the correct OpenPGP key and authentication signature, you can validate that you’re getting the packages from exactly where you intended.
The “apt-key add” command lets you add an OpenPGP key to your repository. For example, you might need to use “apt-key add” when you install a repository for the first time.
If “apt-key add” doesn’t work for you, you can’t use it to add the key to the trusted list of keys for the repository and you may need to resort to manual methods instead. Attempting to bypass the signature checks could put your machine’s security at risk by potentially allowing people to inject malicious packages into your updates which could lead to your machine being compromised.
When “apt-key add” works correctly, it adds the new OpenPGP key to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d
When you get the “apt-key is deprecated” message, you should carefully think about the potential risks you may put your machine in if you still opt to proceed with apt-key.
Why Has “apt-key add” Been Deprecated?
“Apt-key add” gives your repositories some level of security, but it doesn’t work as well as you might expect. Although the warning message recommends adding the key to trusted.gpg or trusted.gpg.d, it in fact authorizes access to all repositories configured on the system. Unfortunately, it doesn’t provide repository-specific authentication. If someone has a key for one repository, they can access all of them.
It’s pretty easy to see some of the ways that this setup could cause problems.
A key that works for all of the repositories configured on the system also makes it easier for malicious actors to add or replace any package on your machine . Suddenly, a person who can access one of your repositories can change packages on any repository. That means you don’t have accurate information for your software bill of materials (SBOM), and you might unintentionally push malware and vulnerabilities to users through a software supply chain attack.
Think of your overall system as a warehouse and all of its repositories as individual units. The “apt-key add” gives users access to every repository in the system. That’s like giving someone a key that opens every unit in the warehouse. When you apply this concept to the warehouse scenario, it sounds like a very bad idea. It’s practically inevitable that someone will either enter the wrong storage unit or enter a unit with malicious intent.
APT now applies the same logic to “apt-key add.” It isn’t a very secure option, so you will get the “apt-key is deprecated” message.
Keys for Unofficial APT Repositories Could Also Give Unauthorized Users Access
The situation gets even less secure once you realize that any unofficial APT repository with a key that gets added to etc/apt/trusted.gpg or /trusted.gpg.d can replace packages on your system. You could potentially lose months or even years of work because someone replaces packages your software requires to function.
Even if you have a backup that you can use to replace the lost packages, users will notice an outage that prevents them from accomplishing tasks. In the best-case scenario, you replace the lost packages before anyone gets attacked by a hacker or rogue employee taking advantage of the trust users have for your products.
Apt-key Support Ends With Debian 11 and Ubuntu 22.04
The developers of Debian and Ubuntu realize that the apt-key command has flaws. Support for the function ends with Debian 11 (Bullseye) and Ubuntu 22.04 (Jammy Jellyfish). If you don’t already get the “apt-key is deprecated” message, you will once you update to the next version of Debian or Ubuntu.
The bad news is that Debian 11 and Ubuntu 22.04 don’t offer a more secure option. Currently, the apt-key add deprecated message tells you to add keys to etc/apt/trusted.gpg or /trusted.gpg.d. That doesn’t help much since both are equally unsecured. Additionally there only seemed to be community recommended workarounds to the issue, not an official fix to address this security flaw.
You already know that apt-key has a security vulnerability that could harm your products, organization, and users. Get ahead of the problem now by adopting a solution with higher security standards.
Start a free trial with Packagecloud to get a more secure way to control who has access to specific repositories in your system.
How Packagecloud Can Help You Avoid “apt-key add deprecated” Errors
Packagecloud succeeds where other GPG options fail. Your packages stay safe because Packagecloud gives you a secure method of authenticating from an absolute path to the GPG key.
The Packagecloud repo installation script imports the GPG keys to /etc/apt/keyrings/username_reponame-archive-keyring.gpg instead of /trusted.gpg.d or /trusted.gpg. After considering recommendations from the Linux Foundation and Neil from realtime Robotics, a dedicated Packagecloud community member, Packagecloud decided to import the keys into /etc/apt/keyrings as opposed to the Linux Foundation's /usr/share/keyrings.
As Neil advised, the latter directory (/usr/share/keyrings) is conventionally used as an installation destination only by Debian packages, and only then by those that provide keyrings to applications like apt.
Neil recommended making use of the /etc/apt/keyrings directory, which on the other hand, was newly added by the apt developers to apt v2.4.0 as a directory intended to provide an alternative to /usr/share/keyrings for importing keys used by the signed-by option. Packagecloud decided to follow this advice and the apt developers’ approach by having the installation script place keys in this directory.
The Signed-By Option
The sources.list entry generated by Packagecloud implements a signed-by option:
deb [signed-by=/etc/apt/keyrings/username_reponame-archive-keyring.gpg] http://packagecloud.io/username/reponame/debian/ bullseye main
deb src [signed-by=/etc/apt/keyrings/username_reponame-archive-keyring.gpg] http://packagecloud.io/username/reponame/debian/ bullseye mainWhen attempting to install a package of the specified repository in the sources.list entry, the repository must pass the apt-secure verification with the specified key in /etc/apt/keyrings rather than all apt configured trusted keys.
By taking this approach, the Packagecloud installation script makes it easier and safer for you to import GPG keys and authenticate packages without compromising security. The keys that let someone access one repository in the subdirectory will not open other repositories.
(Note: Packagecloud’s approach is only applicable to operating systems running versions equivalent to or later than Debian 9 (Stretch) or apt v1.1+. Earlier versions which have reached their end of life (EOL) cannot support the signed-by option and rely on apt finding the key in trusted.gpg or trusted.gpg.d)
Of course, Packagecloud also compares your packages with a growing list of known malware and malicious code snippets. If Packagecloud finds a threat in an update, it will alert you before committing the package to your repository or pushing updates to machines in your IT ecosystem.
Start Your Free Trial With Packagecloud
Packagecloud is a cloud-based software distribution platform that lets you manage code in hosted private repositories. The platform takes an agnostic approach to software development, so you can use it regardless of your preferred programming language and operating system. You can even use it to push updated packages to diverse machines and environments throughout your IT ecosystem.
As a cloud-based platform, you don’t need to invest in expensive infrastructure when you use Packagecloud to store your repositories. Instead, you get an affordable, secure, and efficient way to manage your code.
Start a free trial to experience how Packagecloud can benefit your organization.
This article was originally composed on June 7th 2022, and recently updated according to the listed date.
